Security vendor Sucuri is warning that it's spotted an attack in the wild that embeds malicious code in PNG files.
The iFrame injection attack loaded a valid jquery.js file with very little to alert even the researcher that something else was going on. As the company writes in this blog post, the only red flag in the code was a loadFile() function downloading dron.png into the iFrame.